Since our research on this situation posted, Mike Peters, Co-Founder & General Manager at iBario LTD, has contacted us. Mr. Peters has claimed that the events related to the SEFNIT and MEVADE malware are due to the actions of a rogue contractor who was able to compromise their network and suborn their systems for malicious purposes without their knowledge. Mr. Peters has indicated that he has worked with Microsoft on this matter and they have both offered to provide additional information in this regard. We have told Mr. Peters that we would be happy to review any new information and make any updates based on additional analysis based on new data.

Adware often lives in the shadow between legitimate software and malware. And for a long time InstallBrain lived in that grey world. At least it did until 2013 when it crossed the line to become outright malware by installing SEFNIT/MEVADE on user’s systems without their consent. While this connection has been known, our research can now show clear ties between the people behind the SEFNIT/MEVADE malware and InstallBrain, the adware that installed it. Our research shows clear ties between the threat actors behind SEFNIT/MEVADE based in Ukraine and iBario, maker of InstallBrain, based in Israel.

In August 2013 Trend Micro (and others in the industry) noted a huge increase in the number of TOR users from 1 million users to more than 5 million over the span of a couple of weeks.

Figure 1: August 2013 saw a dramatic increase in Tor network users.

Trend Micro researchers discovered that this increase in the number of TOR users was due to infections of SEFNIT/MEVADE, which has TOR components. SEFNIT/MEVADE has been around since 2010 and is a family known for clickfraud, search engine hijacking and BitCoin mining. In conjunction with this spike, the Trend Micro™ Smart Protection Network found infections in more than 68 countries with most of the victims in Japan, US, Taiwan and India.

Our research indicated that SEFNIT/MEVADE was being downloaded by adware called InstallBrain.

InstallBrain is an ad-supported web browser plug-in and is installed on millions of computers across around 150 countries worldwide.

Figure 2: InstallBrain was detected most in the countries above.

While InstallBrain is reported to exhibit rootkit capabilities to hook deep into the operating system, hijack browsers, and interfere with the user experience, it hasn’t been considered malicious until its association with SEFNIT/MEVADE.

According to the Times of Israel, InstallBrain is owned by a company called iBario. iBario is a web ad company based in Israel and founded in 2007. iBario is estimated to be worth $100M and is known for offering free software installation and managing large advertising networks. iBario’s customers include downloading platforms, shopping sites, recipe sites, Internet speed measuring sites, and question and answer information sites among others. iBario is one of Google’s biggest advertising partners.

iBario also issued four requests to remove Google search results in 2012 and 2013 because of alleged copyright infringement. The results iBario requested to be taken down explained how to remove iBario’s adware. Google rejected these requests.

Recently, iBario removed InstallBrain and replaced it with “UnknownFile” (the actual name of the new application). However, analysis of “UnknownFile” shows it to actually be a variant of InstallBrain.

Research traces SEFNIT/MEVADE to threat actors in Kharkov Ukraine. One of the main actors is known as “Scorpion.” Our research in September 2013 identified him and his partner “Dekadent” as being behind this malware. Further research shows numerous ties between these threat actors in Ukraine and iBario.

Our researchers discovered SEFNIT/MEVADE code in a repository hosted on a domain owned by one of the Ukrainian threat actors. That domain points to an IP address within the IP block of iBario, the owner of InstallBrain.

Analysis of SEFNIT/MEVADE and InstallBrain show similarities in their code.

Analysis also shows similarities in how SEFNIT/MEVADE and InstallBrain connect to their respective command and control (C&C) servers.

These same Ukrainian contractors for iBario have been working on a project called “Antivirus Check System (ACS),” which checks for anti-malware detection rates before new malware are used in the wild.

InstallBrain’s CTO is included in the list of ACS users

iBario has claimed to be to entirely an Israeli company. However an organizational chart for “iBario Ukraine” showing someone who could be the Chief Technology Officer for InstallBrain (“Michael”) as well as vacation pictures on social media from a Ukrainian contractor (“Bisovman”) associated with iBario would seem to tell another story.

Finally, it’s also noteworthy that our Smart Protection Network data showed practically no SEFNIT/MEVADE infections in Israel where iBario is based. It’s not uncommon for cybercriminals to spare their fellow citizens and target outsiders only. It’s also possible that iBario didn’t want to run afoul of law enforcement in the same country that they’re based.

Taken all together, this evidence shows that the Ukrainian individuals who developed InstallBrain and MEVADE/SEFNIT malware actually worked for iBario.

This isn’t the first time that seemingly legitimate companies have expanded into malicious activity. Rove Digital, an Estonian company that held Esthost, a hosting company, seemed legitimate was later found to be engaged in online criminal activity. In this case, it shows how adware, by being installed on the system already, can easily be switched over and used for illicit purposes.